FW: Reviving an old idea about renaming forbidden extensions

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Thu Jan 9 22:00:04 GMT 2003 

It might be less irritating to users (and easier to understand) to zip
the file rather than obfuscate the filename (although obviously more CPU
intensive).  The option to add text to the message explaining what has
been done and how dangerous it is to execute unsolicited files may also
prove attractive.  (Not for me though I just block 'em!)


On Thu, 2003-01-09 at 20:20, Julian Field wrote:

Good idea. I'll take a look, but no promises.

At 20:13 09/01/2003, you wrote:
>Almost a year ago (Jan 2002), I sent a mail to Julian with the
following
>suggestion:
>
> >I would like to make the following suggestion with regards to
> >'forbidden extensions'. There are currently two options: ban them if
> >they're on the list, or allow them if they do not contain a virus.
> >How about a third option: rename the file (if it does not contain a
> >known virus, of course) to make it not immediately executable, for
> >instance by replacing .ext with ~ext and adding an explanatory line
> >like 'MailScanner changed filename.pif to filename~pif to prevent
> >immediate execution; shortcuts to (&etc) are dangerous, so be very
> >cautious about renaming the file and executing it.' Or something
> >like that. Some people actually send virus-free files with .pif and
> >.reg extension through our servers ... they're not too happy ..
>
>I implemented the .exe restriction about three days ago, and the sun
>doesn't shine anymore over here. I had to let it go, even though I'm
fully
>opposed to sending directly executable content through email. Lots of
users
>(mainly businesses in our case) were severely hindered by this
restriction,
>and even though I'm as BOFH as they come, frustrating clients' mailflow
is
>not on my priority list (well, not in the top 10 at the moment).
>
>I do see the need to 'treat' extensions like 'exe' though, and adding
the
>'rewrite' option (and the proposed functionality) to the
>filenames.rules.conf would be the best of both worlds. For example,
>renaming an attachment from file.exe to file.~exe or file.exe~ (the
latter
>sounds easier, you can anchor to $) would a) show the original
extension on
>'platforms' that have a tendency to hide them (happily exploited by the
>virus.jpg.scr type virus) b) leave the file untouched, but you have to
>actively rename and execute it to run it. Of course, MailScanner will
>include a warning and a short explanation as to why and how. Best of
both
>worlds, it seems. People get their files, and they can't say they
weren't
>informed about the risks.
>
>Of course, the primary goal is to intercept new viruses that are not in
the
>DAT files yet (or at least to inform recipients of that possibility),
but
>maintaining the lowest level of impact regarding those who have to send
>this kind of content using email. I may even start ordering MailScanner
>goodies.
>
>--
>- Ben C. O. Grimm ----------------- Ben.Grimm at wirehub.net -
>- Wirehub! Internet Engineering - http://www.wirehub.net/ -
>- Private Ponderings ----------- http://www.bengrimm.net/ -
>- Wirehub! Internet ----------- part of easynet Group plc -

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list